Contents x
      Firewall Excessive Hit 5.2.6
      • 01 Mar 2023
      • 2 Minutes to read
      • Dark
        Light
      • PDF
      Contents

      Firewall Excessive Hit 5.2.6

      • Updated on 01 Mar 2023
      • 2 Minutes to read
      • Dark
        Light
      • PDF
      Article summary

      tags: python | Automation | PaloAlto | Firewall EDL | Azure Blobs

      Description

      Excessive Hit Automation is created to support CDC users by automating the playbook used by the CyberProof Monitoring/SoC teams, to address connection attempts made via various IP addresses across the internet to the client’s network in last 30 days. This is captured by the firewall logs.

      This automation is built on top of the playbook, performing various calculations. Depending on the outcome, next actions are defined, which includes actions like ignoring the IP, enriching the IP address, blocking the IP address with the help of Firewall EDL Integration, etc.

      We have used Splunk as a data source for this automation, which filters the alerts and forwards them to us to be used in the automation. Each reported IP is enriched with integration like AbuseIPDB to ascertain if the IP is malicious or not. If found malicious, it gets added to the blocked list using Firewall EDL integration. Otherwise, no action is taken on the IP address.

      In order to reduce the risk of breaking legitimate business IP addresses, we have provisioned a whitelist that ensures that if IP addresses are entered into it, they will not be blocked.

      Post completion of the actions, all of the information is passed on to the CDC in form of an alert.

      Integration Type:Automation
      Information read:Splunk alert regarding excessive hits on firewalls.
      API Supported:
      Input:Alert from Splunk
      Output:Creation of a ticket in the CDC, writing entries in the EDL blocklist on blobs, etc.

      Customer Configuration

      No customer configuration

      CDC Command Lines

      No CDC command lines

      Workflows

      * **add_new_alert_to_incident**
      Handle an alert count of more than three in the last 30 days.

      * **automate_create_incident**
      Automate create incident.

      * **automate_create_incident_for_cdc_2**
      Automate create incident for CDC 2.0 or above versions.

      * **create_incident_and_block_ip**
      Create an incident in the CDC and block the IP.

      * **get_cdc_version**
      Get the CDC version.

      * **mark_the_alert_as_irrelevant**
      Handle an alert count of less than or equal to two in the last 30 days.

      Rules

      * **firewall_exessive_deny_alert_listener**
      Firewall exessive deny alert listener

      Sensors

      No sensors

      Triggers

      No triggers

      Known Issues

      No known issues

      Change Log

      Pack VersionDate of MergeChanges
      v5.2.52022-05-20Changed configuration title in ReadMe.
      v5.2.42022-03-07Added uca-st-linter to pipeline.
      v5.2.32021-11-10Updated firewall_black_list version in dependencies.
      v5.2.22021-11-02Bugfix: Updated search input add_new_alert_to_incident_workflow.
      v5.2.12021-10-28Fixed linter issue: added default value to config schema.
      v5.2.02021-10-01Updated common logic version. Changes: added datastore.yaml, pack.yaml, pack description, tags, readme jinja template, added actions GEN prefix.
      Was this article helpful?
      What's Next